Monday, August 15, 2011

Timthumb.php Security Vulnerability [Wordpress Theme]

This news is very famous in this week and I got some page to this post for my read. If you want to see full article or detail of the news, please go to the source.

The NewsThere has been some buzz about a zero day vulnerability found in Timthumb.php that can allow for arbitrary file uploads. Although this is a platform independent issue, it is specially an issue on WordPress where a lot of theme authors choose to include scripts in themes without any extra security measures.You can read more details about the TimThumb issue here: markmaunder.comThis is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.

Another issue is inexperience, well, along with laziness in some cases. WordPress has built in a lot of great capabilities that aren’t being properly leveraged. For example, if theme/plugin authors were properly leveraging add_image_size vs. adding TimThumb they would be in a safer position today.Unfortunately this is not an easy problem to tackle. WordPress core has a great review and vetting process, it is very controlled for good reason. The problem here is really around plugins and themes, it’s not as simple as you may think to check every release being there are thousands of free and premium options on the market today.

Minimize Your Risk

Here are a few things that if put into practice, will help you minimize the risk of getting exploited:

details and scripts of the WordPress Timthumb.php hack

I also run the latest version of WordPress.org.My WordPress root directory was writable, but making it read only would not have prevented the hack.Timthumb.php in it’s default configuration allows site visitors to load images from a predefined set of remote websites for resizing and serving. Timthumb offers a caching mechanism so that it doesn’t have to continually re-process images. The cache directory lives under the wordpress root and is accessible by visitors to the website.The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.To be clear, timthumb.php does not actually execute any remote malicious code that causes this vulnerability. This was a point of confusion among some commenters in my blog post yesterday. It simply gets a remote file and places it in a web accessible directory.Timthumb only allows remote content from a small range of websites to be loaded remotely. In it’s default configuration these included Blogger, WordPress.com and other sites that are writeable by the general public.Timthumb’s verification that remote content was only being loaded by these domains was also broken. You could for example load content from hackersiteblogspot.com or from blogspot.com.hackersite.com.I’ve submitted a patch that fixes the pattern matching and removed all default public hosting sites from the allowed sites list. The developer has opted to keep a small list in which I’m not in favor of.In my case the hacker uploaded a script to my cache directory which timthumb.php stores as “external_.php”. He/she then accessed this script directly in my timthumb cache directory as something like http://markmaunder.com/wp-content/themes/Memoir/scripts/cache/external_md5hash.phpThe script uploaded was Alucar shell which is base64 encoded and decodes when it executes. That makes it a little harder to find it using grep or similar tool. You can see the encoded version of Alucar here and the decoded version of Alucar here (without the username and password preamble at the top).Here’s a screenshot of the UI:

This script which gives a web based shell access was then used to inject base64 code to one of my core wordpress files wp-blog-header.php which lives in the wordpress root directory. The file with injected code looked like this.The decoded version of this base64 code is this. The code executes whenever a blog page is visited. It fetches a file from a URL and writes it to /tmp. Then it executes the php code that is contained in this file. In my case it simply echo’d some javascript code that would show ads. Here is the code contained in the file in /tmp.Again, this file is periodically updated with new PHP code, so the attacker could have his way with my server until I found out about it. The code could be altered to instead become a spam system and work it’s way through a long list of spam emails.The way I tracked this to conclusion was:

List of Themes

The Timthumb 0-day security vulnerability is generating a lot of noise and for good reason. If you have a theme that includes TimThumb, your site can be easily hacked.Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb.If you use any of the following themes please check to see if the script is present, and make sure it is updated:

Caution:This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script.Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.